837 ADSL VPN 1

[Rod25]

Hi Guys,
I am new to 837 routers. There are four ethernet ports. Are these ports switch ports and can they be configured with IP addresses?
Does anyone have configs for 837 routers with GRE tunnels and IPSec? I would appreciate help on this.

Thanks in advance,
Rod

 

[KiscoKid]

Hi

All those Ethernet ports are just switch ports. You only get one Ethernet routed connection so no you can't configure all of them with an IP address.

I hope the following link from Cisco that shows step by step how to setup IPSEC over GRE on the 837 will be of some use:

http://www.cisco.com/en/US/products..._guide_chapter09186a0080118d1a.html#wp1087086

 

[Rod25]

Hi KiscoKid,
Thank you for your reply. I am trying to configure two ADSL 837 routers interconnecting via internet. I will have ethernet0 configured for local LAN i.e. private address 10.x.x.x but where do I assign the public address on 837 i.e. the public address assigned by ISP??? Do I need to use the ATM interface?

Thanks again,
Rod

 

[KiscoKid]

Hi Rod

You create a Dialer interface and assign this your public IP. Something like as follows:

interface ATM0
no ip address
ip route-cache policy
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
ip address 212.40.60.9 255.255.255.248
encapsulation ppp
dialer pool 1
ppp chap hostname userid
ppp chap password password
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0

 

[Rod25]

Hi KiscoKid,
Thank you for your reply. What I have is private LAN 10.x.x.x on ethernet 0. But I did not know where to configure the public address. I have set up GRE Tunnels and IPSEC. I will need to NAT or will the 10.x.x.x be routed out as I have EIGRP running??

Thanks again,

Rod

 

[KiscoKid]

Whether you need to NAT depends on what you're trying to achieve.

For instance, if you're simply creating a secure tunnel between one private LAN and another, chances are you won't need to NAT unless the other private LAN has overlapping/similar address space.

It may be you want do the above plus allow LAN hosts access the Internet as well. In this case, you will need to perform NAT for this work.

As you can see, NAT or No NAT depends on what you are trying to achieve.

 

[Rod25]

Hi KiscoKid,
Thanks again for that. I have a sample config that has the following:

crypto isakmp policy 1
group 2
crypto isakmp key 1234xxxxx address [public address of remote 837]

My question is what is the 'group 2' command for?

and can I add another 'crypto isakmp key 1234xxxxx address [another remote 837] under the same policy or do I create another policy for the new site?

Thanks in advance,
Rod

 

[KiscoKid]

The group 2 parameter under your IKE policy is telling the router which Diffie-Hellman group to use (acceptable values are 1 or 2)

You can, if you wish, add another remote router under the same policy howeber that remote router needs to be configured with the same IKE parameters as the router you are configuring on (i.e. DH 1 or 2/DES or 3DES etc)

 

[Rod25]

Hi KiscoKid,
Thanks again for that. You really know your stuff....

Cheers,
Rod